Early Detection Feeds

The 1877 Team is a Kurdish hacktivist group founded in July 2021, that has claimed responsibility for large doxing campaigns, massive website defacements, DDoS attacks, and the compromise of servers and databases from governments, universities, telecommunication, defense, and IT corporations. The hacker’s primary targets lie in the Middle East, but African, Asian, and Western organizations have also been affected. The 1877 Team’s self-proclaimed goals include pressuring governments, spreading public dissent, and establishing a reputation within the cybercriminal space.

Two feeds.

IPs involved in the 7777 botnet – a 10,000 node botnet that’s used to brute-force Microsoft Azure user credentials.

ERMAC is an Android banking trojan that overwrites the screen display to steal user’s credentials.

Two feeds – domains and IPs.

A malware family based on apk.ermac. It provides WebSocket communication and has RAT capabilities.

Two feeds – domains and IPs.

SpyNote is spyware that logs and steals a variety of information, including key strokes, call logs, and information on installed applications.

Two feeds – domains and IPs.

APT 37 has been active since 2012 and focuses on targeting organisations primarily in South Korea, both from the public and private sectors including electronics, manufacturing, aerospace, chemicals, automotive and healthcare.

BlueNoroff are a threat actor linked to Lazarus. Attacks are financially motivated and target mostly ATMs, banks, fin-tech, and cryptocurrency companies.

Two feeds – domains and IPs.

China-linked Flax Typhoon gains and maintains long-term access to Taiwanese organizations’ networks with minimal use of malware, relying on tools built into the operating system, along with some normally benign software to quietly remain in these networks.

Gamaredon is a Russian APT that has been active since 2013. The malicious group targets Ukrainian entities and its allies, and uses fast flux and wildcard DNS records to evade detection.

Higaisa is a South Korean threat actor which activity started in 2009. Targets include governments and public, and private organizations in North Korea, China, Japan, Russia, and other nations.

Two feeds – domains and IPs

Kimsuky is a North Korean APT group operating since 2012, targeting organizations in South Korea, US and Japan. This feed tracks IPs associated with the c2 infrastructure operated by the group.

Two feeds – domains and IPs.

Domains and IPs used for exploits, malware distribution, phishing attacks, c2, botnets, and other underground criminal activity such as personal data sales and black business forums, among others.

Two feeds – domains and IPs.

IcedID is a banking Trojan which first emerged in September 2017. It spreads by mail spam campaigns and often uses other malwares like Emotet to help it proliferate. IcedID uses evasive techniques like process injection and steganography and steals user financial data via both redirection attacks (installs a local proxy to redirect users to fake-cloned sites) and web injection attacks. Other than email spam, we have also observed its distribution through malvertisements on search engines. Recent variants of IcedID also have the capability to steal credentials from victims other than financial information.

Two feeds – domains and IPs.

Bazarcall works as a callback fraud initiated through phishing emails and potential victims are redirect to fake support pages to connect with modified versions of remote desktop tools to control their systems.

Two feeds – domains and IPs

This feed contains malicious domains and IPs detected in bulletproof hosting infrastructures such as Yalishanda, Eliteteam or DDoS-Guard, among others.

Two feeds – domains and IPs.

The 1877 Team is a Kurdish hacktivist group founded in July 2021 and has claimed responsibility for large doxing campaigns, massive website defacements, DDoS attacks, and the compromise of servers and databases from governments, universities, telecommunication, defense, and IT corporations. The hacker’s primary targets lie in the Middle East, but African, Asian, and Western organizations have also been affected. The 1877 Team’s self-proclaimed goals include pressuring governments, spreading public dissent, and establishing a reputation within the cybercriminal space. Two feeds.

Domains related to ACTINIUM, a Russian threat group which has been operational for almost a decade and has consistently launched attacks against organizations in Ukraine, or entities related to Ukrainian affairs.

Domains and IPs associated with c2 infrastructure and admin panels of popular trojans associated with Android OS. Two feeds.

Domains and IPs utilized by APT 28 (also known as Fancy Bear), a Russian-based threat actor active since 2008. APT 28 has reportedly attacked infrastructures in the defense, energy, government, media, and aerospace sectors, particularly through the use of phishing campaigns and credential harvesting. Two feeds.

Domains and IPs associated with APT36 (also known as Earth Karkaddan), a Pakistani-based threat group known for targeting government and diplomatic organizations through cyber espionage, phishing, remote access trojans and social engineering. Two feeds.

Various domains and IPs identified on malicious infrastructures seen across the world. The indicators on this feed include domains used for exploits, malware distribution, phishing attacks, command and control domains, botnets, personal data sales and ‘black’ business forums.

Domains involved in deploying banking malware, such as IcedID, URSNIF, and Zusy, among others. Two feeds.

Covers domains and IP addresses for Bazarcall Scam which works as a callback fraud initiated through phishing emails and potential victims are redirected to fake support pages to connect with modified versions of remote desktop tools to control their systems. Silent Push worked with CISA to protect users as some of the federal employees became victims of the campaign as well. Two feeds.

CISA advisory can be seen here: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a

Domains and IPs associated with BlueNoroff, a threat actor linked to the North Korean Lazarus group. The attacks from this group are financially motivated, targeting ATMs, banks, fintech, and cryptocurrency platforms. Two feeds.

Domains detected in several bulletproof hosting infrastructures such as Yalishanda, Eliteteam or DDoS-Guard, among others. Two feeds.

ClearFake is a malicious JavaScript framework injected into compromised WordPress sites that delivers other malware using the drive-by download technique. It often spoofs download pages impersonating browser extensions and application updates similar to campaigns like Socghoulish.

Two feeds.

This feed contains domains that present a phishing page warning from Cloudflare.

Domains and IPs with live Cobalt Strike beacons. Two feeds.

Domains and IP addresses that are linked to Covenant – a .NET command and control framework.

GitHub – cobbr/Covenant: Covenant is a collaborative .NET C2 framework for red teamers.

IP addresses involved in exploiting vulnerable ScreenConnect servers (CVE-2024-1708 and CVE-2024-1709)

Emotet is a banking trojan spread primarily through malspam from malicious documents downloading trojans.

Two feeds – domains and IPs.

IP addresses that are linked to Empire 4 – a post-exploitation framework that includes a pure-PowerShell Windows agents, Python 3.x Linux/OS X agents, and C# agents.

Domains and IPs used to propagate several scams impersonating online trading services.

Two feeds – domains and IPs.

Domains hosted on ‘fast flux’ infrastructure – an IP-swapping technique allows threat actors to hide their malicious activities from blocklists and takedowns.

Domains registered with the new .zip or .mov top-level domains. Threat actors might exploit these common file extensions TLDs to conduct malicious attacks, so we catalog these indicators as suspicious.

Gophish is a powerful, open-source phishing framework.

https://getgophish.com/

Havoc open-source command and control (C2) framework is used as an alternative to paid options such as Cobalt Strike and Brute Ratel. This feed collects C2 servers exposed externally using the post exploitation tool.

Domains and IPs associated with information-stealing malware – designed to harvest personal information such as cookie data, user names, and passwords. Info stealers have gained popularity among cybercriminals due to their cheap cost and availability in malware-as-a-service products. Two feeds.

Domains and IP addressed involved in the Meduza infostealer network.

Domains and IPs associated with Darkgate, a sophisticated malware first observed in 2017, that was exclusively used by its author (dubbed RastaFarEye) and sold as MaaS since July 2023. The malware, which has been distributed via VBS scripts or MSI files spread by malvertising campaigns, emails containing malicious attachments or phishing sent via compromised Teams accounts. Upon infection, the malware has functions capable of stealing credential, cookies and other sensitive information stealing, and download additional payloads such cryptocurrency mining and stealing and ransomware.

Two feeds.

Domains and IPs linked to SEO poisoning/malvertising campaigns used to propagate malware spoofing AnyDesk, Remote Desktop, OBS, TeamViewer, MSI Afterburner, Blender, Open office, Audacity, Slack, Brave Browser, among others.

Two feeds.

This feed consists of multiple type of campaigns varying from phishing, financial scams, SoucGhoulish fake updates to C2 domains belonging to infostealers and spywares. These are associated with the threat actors renting malicious infrastructure often with BulletProof hosting support.

Domains with NS records pointing at suspicious name servers – including phishing activities, C2 operations and botnets.

Meta/Facebook Phishing Pages

The world’s most used penetration testing framework

https://github.com/rapid7/metasploit-framework

Meterpreter is a Metasploit attack payload that provides an interactive shell from which an attacker can explore the target machine and execute code. Meterpreter is deployed using in-memory DLL injection. As a result, Meterpreter resides entirely in memory and writes nothing to disk. This feed contains Meterpreter C2 server IPs with public exposure

A cross-platform, post-exploit, red teaming framework – https://github.com/its-a-feature/Mythic

Two feeds.

The NanoCore remote access Trojan (RAT) was first discovered in 2013 when it was being sold in underground forums. The malware has a variety of functions such as keylogger, a password stealer which can remotely pass along data to the malware operator. It also has the ability to tamper and view footage from webcams, screen locking, downloading and theft of files, and more. The current NanoCore RAT is now being spread through malspam campaign which utilizes social engineering in which the email contains fake bank payment receipt and request for quotation.

Phishing domains from several campaigns across the Internet.

Greatness focuses on Microsoft 365 phishing pages, providing its affiliates with an attachment and link builder that creates highly convincing decoy and login pages.

Ongoing phishing campaign impersonating O365 login pages to harvest credentials.

Phishing domains involved in postal office/delivery scams.

Two feeds.

PoshC2 is a proxy aware C2 framework used to aid penetration testers with red teaming, post-exploitation and lateral movement

https://github.com/Nettitude/PoshC2

Prolific Puma provides an underground link shortening service to criminals. Infoblox states that during analysis, no legitimate content was observed being served through their shortener. For operation they use a registered domain generation algorithm (RDGA), based upon which they registered between 35k-75k domain names.

Pupy is a cross-platform, multi function RAT and post-exploitation tool mainly written in python. It features an all-in-memory execution guideline and leaves a very low footprint.

https://github.com/n1nj4sec/pupy

Contains IPs related to the actor known as Sandworm or Voodoo Bear, which is using a new malware, referred to as Cyclops Blink.

Shlayer is  a family of adware bundlers that target macOS systems.

Two feeds

This feed contains all recently registered domains relating to the collapse of Silicon Valley Bank. Note that not all domains listed here will be malicious.

IOC’s collected by our noise collector, and tagged and being malicious.

IPs used to distribute malware

IPs used as Lumma Stealer C2 – an information stealer that was first advertised on a Russian-speaking DarkWeb forum at the end of 2022. The malware is sold as MaaS and specializes in extracting both system data and sensitive information including web browser cookies, history and extensions, two-factor authentication credentials, passwords and cryptocurrency data.

Supershell is a C2 remote control platform accessed through WEB services. By establishing a reverse SSH tunnel, a fully interactive shell can be obtained, and it supports multi-platform architecture Payload.

Evilginx2 is a man-in-the-middle attack framework used for phishing login credentials along with session cookies, which in turn allows to bypass 2-factor authentication protection.

Merlin is a cross-platform post-exploitation Command & Control server

https://github.com/Ne0nd0g/merlin

Scattered Spider is a financially motivated threat actor that leverages sophisticated social engineering to target organizations across several industries. The threat actor usually impersonates help desk requesting a password update or reset and directing the targeted employees to a phishing page crafted to mimic the organization’s actual page. This group targets telecom, BPO, financial, insurance and entertainment industries, from which they try to extort money and most recently deploy ransomware.

Two feeds

This feed contains IoCs associated with trojans that download and execute additional malware on compromised systems.

This feed contains several threats from tracking black markets and underground criminal activity like credit card sale domains, black business forums and sites hosting information about sale of personal data, social media account and passwords, sale of hacked financial accounts for banks and crypto wallets.

Viper is a RAT-based malware that was able to go undetected by almost all of today’s anti viruses, which is developed by http://neehack.com/

Web skimming, also known as digital skimming, is a hacking technique that targets digital businesses by manipulating unmonitored and compromised client side web applications. Usually, these attacks are initiated by placing malicious JavaScript (JS) code strategically on payment and checkout pages of the website where unsuspecting users fill in their personal and financial details. Although commonly found on eCommerce websites, banking, finance, healthcare, tourism, and other eService platforms are also being targeted. This feed consists of domains used in these campaigns.

Feed containing domains associated with worms – malware that replicates itself to other computers. Some of the worms we track include Raspberry Robin.